PHWinfo - Afficher un message - PCI Security and cross-site scripting issues

19/02/2008, 10h42

On Feb 18, 6:42am, Andy Dingley <ding...@codesmiths.com> wrote:
> On 18 Feb, 08:31, MarkB <reelm...@gmail.com> wrote:
>
> > Hey, I have a question regarding your experiences and expertise with
> > PCI(Payment Card Industry; Visa,MC) security. I am writing this
> > because I have been, as of late, struggling to get a web site
> > certified recently
>
> There is no real "PCI certification" or official compliance checking.
> If only there was! We'd have a few less problems from some of the
> gross errors that are indeed out there.
>

Very good point, Andy. There seem to be a lot of companies that
provide 'PCI' compliance, but there doesn't seem to be any centralized
authority or standard for what composes of PCI compliance when
compared to the ISO and computer hardware such as CD-ROM's and DVD-ROM
devices-and even that was in debate for many years.

> Also the CISP standards talk very little about "web apps" as such and
> are focussed far more on back-end DB issues. This is understandable
> given their legacy and their core competencies, but it doesn't mean
> the web server aspect can be ignored. Where they do state
> requirements, it's in broad terms such as "Card numbers must be
> encrypted", "Card numbers shouldn't be stored at all, unless needed
> for repeat billing", "Repeat billing setup should be clearly flagged
> to the customer" and "Don't even think about storing the CVV2". They
> don't even specify algorithms or standards for encryption, or indicate
> the benefits of PK for this rather than a symmetric key algorithm.
>

I could certainly live with this as we do not store CC#'s, CVV2's,
everything is encrypted in the back end of the cart. We don't even
process credit cards online.

> > our site started failing security
> > scans and the error message was threefold: Citrix, ClearTrust Server,
> > & ASP Portal are vulnerable to cross-site scripting.
>
> You're going to have to ask the scanner what they're looking for and
> what they've found. The implementation details of a scan just aren't
> specified in this level of detail by the PCI people.
>
> You may actually have a problem. You might even be in a state where
> you really ought to be working rapidly to fix it and downing the site
> in the meantime - that bad! I rather doubt though if you have a
> problem that even flickers onto PCI's radar - just very few of them
> do.
>
> > many of which were filtered out by default such as "<" and ">".
>
> I've never seen a site that filtered these characters _out_ and yet
> _wasn't_ open to injection attacks. Don't filter the bad stuff out,
> filter the good stuff in! Otherwise you're just forever playing catch-
> up character by character through the Unicode set.
>
> Without knowing just what is running on there, I couldn't comment in
> any detail. However if you even have a Citrix directory accessible to
> a web server, I'd be worried. If you have one that you didn't know
> about, I'd regard the site as insecure simply because you no longer
> know just what is running on your site.

My web host ensures that I don't have Citrix on my server although the
link that the security company provided showed one, however they
admitted that this may be a representation rather than a reality. So,
who to believe, what to do next (outside of sanitize and filtering in
of the cart script that I do have access to), and not the web.config &
machine.config that I don't have access to, I am not sure at this
moment. We will see...
Thanks for you though. I do appreciate it.
-Mark

19/02/2008, 10h42	#7
MarkB Messages: n/a Hébergeur:	Re: PCI Security and cross-site scripting issues On Feb 18, 6:42am, Andy Dingley <ding...@codesmiths.com> wrote: > On 18 Feb, 08:31, MarkB <reelm...@gmail.com> wrote: > > > Hey, I have a question regarding your experiences and expertise with > > PCI(Payment Card Industry; Visa,MC) security. I am writing this > > because I have been, as of late, struggling to get a web site > > certified recently > > There is no real "PCI certification" or official compliance checking. > If only there was! We'd have a few less problems from some of the > gross errors that are indeed out there. > Very good point, Andy. There seem to be a lot of companies that provide 'PCI' compliance, but there doesn't seem to be any centralized authority or standard for what composes of PCI compliance when compared to the ISO and computer hardware such as CD-ROM's and DVD-ROM devices-and even that was in debate for many years. > Also the CISP standards talk very little about "web apps" as such and > are focussed far more on back-end DB issues. This is understandable > given their legacy and their core competencies, but it doesn't mean > the web server aspect can be ignored. Where they do state > requirements, it's in broad terms such as "Card numbers must be > encrypted", "Card numbers shouldn't be stored at all, unless needed > for repeat billing", "Repeat billing setup should be clearly flagged > to the customer" and "Don't even think about storing the CVV2". They > don't even specify algorithms or standards for encryption, or indicate > the benefits of PK for this rather than a symmetric key algorithm. > I could certainly live with this as we do not store CC#'s, CVV2's, everything is encrypted in the back end of the cart. We don't even process credit cards online. > > our site started failing security > > scans and the error message was threefold: Citrix, ClearTrust Server, > > & ASP Portal are vulnerable to cross-site scripting. > > You're going to have to ask the scanner what they're looking for and > what they've found. The implementation details of a scan just aren't > specified in this level of detail by the PCI people. > > You may actually have a problem. You might even be in a state where > you really ought to be working rapidly to fix it and downing the site > in the meantime - that bad! I rather doubt though if you have a > problem that even flickers onto PCI's radar - just very few of them > do. > > > many of which were filtered out by default such as "<" and ">". > > I've never seen a site that filtered these characters _out_ and yet > _wasn't_ open to injection attacks. Don't filter the bad stuff out, > filter the good stuff in! Otherwise you're just forever playing catch- > up character by character through the Unicode set. > > Without knowing just what is running on there, I couldn't comment in > any detail. However if you even have a Citrix directory accessible to > a web server, I'd be worried. If you have one that you didn't know > about, I'd regard the site as insecure simply because you no longer > know just what is running on your site. My web host ensures that I don't have Citrix on my server although the link that the security company provided showed one, however they admitted that this may be a representation rather than a reality. So, who to believe, what to do next (outside of sanitize and filtering in of the cart script that I do have access to), and not the web.config & machine.config that I don't have access to, I am not sure at this moment. We will see... Thanks for you though. I do appreciate it. -Mark